Consider anything that can send untrusted data to the web server, including both the application and users. Additionally do not discount users directly calling the web-site/API/web-service.

The attack vectors for the conglomeration that is Weak Server Side Controls include several easy to exploit vulnerabilities (like server side injection) that are high risk.

Security Weakness Description

Technical Impacts

Business Impacts

Am I Vulnerable To Weak Server Side Controls?

The M1 category is one that is always in heavy debate. It encompasses almost everything that a mobile application can do badly that does not take place on the phone. Which is exactly the argument… should it be listed at all? Don’t we have Top Ten lists for Web Applications? Don’t we have one for cloud too?

In fact, we do. If we could be altogether sure that everyone who wanted information on mobile security also stopped by those projects… it would be a perfect world. Unfortunately, after two rounds of data collection from some of the world’s top assessment teams, we find that server side issues are so prevalent in mobile applications that we cannot ignore them in the Risk listing. While not statistically validated we feel that several factors lead to bad mobile application server code (and on a larger scale mobile insecurity in general):

Rush to market

Lack of security knowledge because of the new-ness of the languages

Easy access to frameworks that don’t prioritize security

Higher than average outsourced development

Lower security budgets for mobile applications

Assumption that the mobile OS takes full responsibility for security

Weakness due to cross-platform development and compilation

How Do I Prevent Weak Server Side Controls?

Secure coding and configuration practices must be used on server-side of the mobile application. For specific vulnerability information refer to the OWASP Web Top Ten or Cloud Top Ten projects. We will try and link references to those projects and other OWASP projects that provide more robust descriptions.

Example Scenarios

If you look below, you can see that there is a ton of surface area to cover when thinking about M1:

The Worst Offenders

While we cannot go over all of these, what we can do is list vulnerability types that we see most often within mobile applications: